Version 2.5.9 adds a number of new features to Perception, including features to increase security, system performance, and usability issues.

To start, Perception now supports communicating over HTTPS with the UI, and allows the import of certificates. Although communication over a secure VPN was already fully encrypted, the addition of standard web-security measures increases the security of the system as a whole.

Performance is always a priority for us at Perception, and in this update we continue to improve system performance. We’ve changed the way our databases are structured, which means queries run faster and less disk space is required, we’ve also squashed a bug where very large databases were causing system performance issues. Likewise, the cache of SMB data was causing some sensors to use too much memory, and this issue has been resolved with no effect on the detection performance of SMB-based behavioural identification.

Self-managed users will also benefit from the latest improvements to the user interface, including a number of smaller fixes that should improve usability. You can now delete swimlanes in KnowledgeBase if they are no longer needed, and some ForensicAI alerts have been provided with more detailed microcontrol information, meaning the alert can be triaged better without even opening the alert at all.

A full list of updates are below:

Added support for HTTPS connections to the UI including certificate import.

Improvements to SMB memory use to address issues with overloaded sensors.

Various UI fixes and improvements.

Enhancements to ForensicAI Alerts to give more detailed Microcontrol information and more accurate scoring.

Fix for Exceptions not matching on hostnames correctly.

This update will be pushed to all managed customers at the pre-agreed upgrade time. Self-monitored customers can update their own systems using the software upgrade processes. If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

A number of features have been improved in version 2.5.7, including small changes to the KnowledgeBase feature.

You can now annotate each event in KnowledgeBase so it’s clear what each connection means without just relying on the automatically generated metadata. We’ve also listened to your feedback and changed the way the column headers display so they look a little bit clearer. Two more useful changes in KnowledgeBase include a reordering of events based on sample time, so they should be in a more intuitive order, and indicators for the direction of the connection too, so you can see which host initiated each connection.

There’s also some bug fixes and user enhancements, including refining the behaviours introduced in version 2.5.3, fixing issues with rendering some ForensicAI alerts, and protecting system stability with disk capacity protection.

A full list of updates are below:

Added support for text-based annotations to be included against KnowledgeBase events. This enables the user to add free text notes describing each event.

Fixed header position in KnowledgeBase swimlane diagram.

KnowledgeBase events now show direction of connection in swimlane diagram.

Updated KnowledgeBase to use sample time when ordering events in swimlane diagram.

Fix issue where behaviours were not loaded under HLC if the number of these exceeded a certain limit.

Added an ability to purge all data from CCS and sensor should equipment need to be re-deployed or have all prior data removed

This update will be pushed to all managed customers at the pre-agreed upgrade time. Self-monitored customers can update their own systems using the software upgrade processes. If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

Huge steps forward have been taken in version 2.5.3 of Perception, including the long-awaited open Beta of the KnowledgeBase function, and several new hugely powerful behavioural identification techniques.

KnowledgeBase sits at the top menu bar alongside ForensicAI and is a function that allows the user to dive deep into a full record of every connection that’s happened on the network. This has been trialled extensively and has quickly become one of the analyst’s favourite features, as it allows them to quickly confirm a suspicion by searching for specific connections made using its great filtering capability. KnowledgeBase is now open to all users, and will continue to be developed over the coming months.

New behavioural logics have also been developed to identify specific behaviours at play on the network. The Suspected New Host Online behaviour has the capability to detect hosts not seen before on the network. This behaviour can be indicative of a planned system installation or an unauthorised device being connected to the network. This enables security teams to quickly identify the introduction of potentially vulnerable devices to the network. This information may then be correlated with subsequent suspicious behaviour in the event that the newly introduced device presents a threat to the network.

The New Service Activity Detected Behaviour identifies when a host starts a new service resulting in network activity on a previously closed port. Under normal operation a given host will run a particular set of services. In the event that a new service is started, this may typically result in network activity on a previously closed port. This behaviour can be indicative of a new application being installed on a host or an existing application suddenly going live. A new service/port coming online can be due to either a planned configuration change, and configuration error, or an unauthorised application or user modification. This activity may be of interest to a security team who expected a defined set of services to be running on the machine present on the network. The network activity as a result of the new service may be benign or may be indicative of malicious software now running on the host, unknown to the user.

Finally, the Loss of Service Activity Detected Behaviour detects when a host ceases to run a service. This behaviour can be indicative of a system or hardware failure or a planned outage. This can help security teams to identify potential issues in the network in particular where a failed service related to a security incident.

A full list of updates are below:

Introduction of KnowledgeBase (beta). This is a new tool available on Perception to enable users to perform in depth analysis on host statistics collected by the system. Data selection can be achieved through filtering and grouping where filtering options are by time, by sensor and by grammar-based metadata selection. The result of the selections can be plotted on a timeline diagram for reporting and review purposes.

Three new behavioural classifiers have been added to the system. These are: Suspected New Host Online, New Service Activity Detected and Loss of Service Activity Detected.

Improved loading time of behaviours and Forensic AI views.

This update will be pushed to all managed customers at the pre-agreed upgrade time. Self-monitored customers can update their own systems using the software upgrade processes. If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

Multiple improvements have been made to Perception in version 2.5.2, from increasing system performance to more advanced detection techniques.

The largest improvement is largely invisible, but makes the system configurable to allow processing limits to be applied to traffic received from the network, this increases stability of the system as a whole as it protects against bursts of network traffic. There have been more under the hood changes as we have also upgraded the underlying operating system to the latest version.

More user facing changes include updates to some ForensicAI alerts to include scoring and suppression, further increasing confidence of a detection all while reducing any false alerts. This is part of ongoing work to bring all ForensicAI capability up to the same standard.

A full list of updates are below:

Patch release to address issue with Nginx package install.

Added configuration options to allow processing limits to be applied to traffic received from the network.

This update will be pushed to all managed customers at the pre-agreed upgrade time. Self-monitored customers can update their own systems using the software upgrade processes. If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

A suite of behavioural classifiers have been developed for the Perception sensors to detect suspicious activity based on the information gathered by the Network Drive Activity Cache. These classifiers monitor behaviours such as file access, modification, upload, download and report on potential policy breaches and/or unusual activity.

The ability to attribute user network based activity to specific windows file sharing operations. This allows for enhanced detection of Ransomware during the Ransomware payload execution.

Additionally, policy-based classifiers can assist in ensuring that you company processes are being followed, for example search patterns can be setup to look for certain filenames, users or extensions of interest that have been seen being used within your network.

So as we said last week, we’ve implemented a Network Drive Activity Cache and naturally, because we have a behavioural engine, we can now identify behaviours based on the information in that cache. We’ve put together a number of behavioural classifiers already based on some real world threats we’ve seen in the wild, but expect more of these classifiers to be implemented over time as we discover more vulnerabilities and scenarios we want to alert on.

One of the things Perception customers love the most isn’t just its ability to pick up on malicious activity, but its ability to discover network vulnerabilities before they are exploited by a malicious actor. Again, these classifiers can be used to discover poor network security practice by discovering users storing confidential information in unencrypted files, it’s the little things like that make Perception so useful.

This update is CCS and sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time. Self-monitored customers can update their own sensors and CCSs using the software upgrade process. Please be aware, this feature requires the Network Drive Activity Cache to be active. If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

A new mechanism has been developed on Perception sensors to allow file sharing activity between client machines and windows network drives to be stored.

Enhanced visibility of network drive access provides the Perception classifiers with a huge amount of insight into a client machine’s behaviour. This in turn allows classifiers to detect potential threat behaviours such as accessing and downloading large parts of a network share or repeated download/upload activities that can often be indicative of malicious behaviour.

This feature also facilitates the inclusion of additional associated meta-data in the events generated by the system such as the names and locations of the files accessed which can be vital in cases where data exfiltration has taken place.

The Network Drive Activity Cache gives Perception an extra level of information on top of all of the existing meta-data it has. When files are transferred from or to Windows-based machines on a network, information about that transfer moves across the network. Perception now includes this information in any behaviours that identify file movement across a network. As a result, any behaviours that saw data movement can now also tell which files were accessed, and whether they were read or written.

Our analysts are already seeing great benefit from this feature, as it immediately identifies which files have been accessed in data movement events, so investigating suspicious events is far faster. Rather than having to trawl through capture files looking for which data has been accessed, the file information is right there, front and centre.

This information provided by this feature enables a number of additional capabilities, the first set of which we’ll tell you about next week. The system can also now build intelligence around who accesses which files, when, and how unusual this is for that person. How we utilise the Network Drive Activity Cache will become more and more complex and beneficial as the system continues to improve, but it’s already showing great results.

This update is CCS and sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time. Self-monitored customers can update their own sensors and CCSs using the software upgrade process. Please be aware, this feature may change the performance requirement of the sensor, and can therefore be turned on or off as required. If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

Perception now includes several classification methods to detect various types of behaviour that rely on DNS use.

We have added enhanced DNS behavioural detection capability to detect malware behaviours such as DNS tunnelling. These methods are typically used to circumvent traditional security defences allowing Command and Control channels to be setup on even very ‘locked down’ networks.

The detection of low and slow DNS tunnelling is complex and we have developed a number of Perception Behavioural Classifiers to assist in the detection. In addition, Forensic AI High Level Classifiers have also been developed to allow for a long term correlation capability. What this means is that the identification of this very advanced exfiltration technique is now identified by Perception and clearly explained to the analyst. You can learn more about DNS misuse as a data exfiltration technique by reading through our blog post on the topic.

This update is CCS and sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time. Self-monitored customers can update their own sensors and CCSs using the software upgrade process. If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.co

The ability for the analyst to assign domain types and trust levels to IP ranges has been added to the system. This introduces the basis for assigning security layers to better attribute behaviours to risk factors.

Perception can set various parts of a network to ‘trusted’ or ‘untrusted’. This feature enriches the information delivered in the behavioural events generated by the system enabling the analyst to better categorise potential threats. This also enhances the ForensicAI engine’s ability to detect potential threats based on the source and destination domain types and trust levels.

For example, the system could perhaps see a data movement internally between two ‘trusted’ parts of the network as not threat-like, whereas a data movement from a ‘trusted’ internal server to an ‘untrusted’ public WiFi network is far more interesting. ForensicAI also leverages this new data, being able to understand the relevance of multiple data movements, and correlating data moving between various trust levels of a network over time.

This update is CCS and sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time. Self-monitored customers can update their own sensors and CCSs using the software upgrade process. If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

This feature adds a layer prior to the classification engine which enables the actual session destination IP addresses to be resolved from the hostnames visible from the traffic monitored behind the web proxy. The classification engine is then able to process session information as if the clients were communicating directly with the destination servers.

Monitoring networks where web proxies are deployed presented an issue where actual destination IP addresses were hidden from the system. Traffic being monitored behind a web proxy is always presented with the same destination IP address, that of the web proxy itself, rather than the real destination IP address. This results in poor performance for network monitoring systems due to the fact that a significant chunk of data appears to be targeted at a single destination, when in reality it’s going to multiple different places.

Monitoring behind a web proxy may be the only available option for a given customer as the proxy itself may be located in the internet (eg cloud based proxies) and therefore access to the output of the proxy may not be available. This previously presented a potential blind-spot to the Perception classification engine.

This update solves this problem by delivering accurate IP information to Perception regardless of proxy use. As a result, Perception provides the same level of coverage and accuracy when used behind proxies as it does when deployed in a typical network.

This update is sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time. Self-monitored customers can update their own sensors using the software upgrade process. Please note that Perception may need some extra configuration to function with proxy networks. If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

The biggest ever leap forward in Perception technology.

As you all know Perception is a system that derives a level of understanding of the behaviour of all traffic on a network, capturing packets of that traffic on its way, and then allowing an analyst to look into patterns of that behaviour to determine what behaviour is malicious, dangerous, or indicative of a network vulnerability. What this boils down to is letting the system automatically generate the most useful data set and then allowing the analyst to use that mass of data to find what’s interesting. Whilst this method has proven to be more effective than standard solutions for finding existing threats and weaknesses on a network, it still relied on capable analysts with a deep level of understanding of network topography and threat landscapes.

Now, as part of a massive version 2.0 upgrade, we are adding a huge layer of capability onto the system, ForensicAI.

ForensicAI is an advanced system of artificial intelligence that automates large analysis tasks. ForensicAI constantly looks through the built up mass of behavioural data from Perception’s behavioural analysis, identifying patterns and common themes that indicate potential live threats and network vulnerabilities without any intervention by the user. When anything of interest is found, rich data is made available to the user in the form of an alert that explains what has happened, and why it is worth looking into.

ForensicAI works by constantly polling the knowledge base looking for multiple behaviours or series of behaviours over time. Because of the in-depth information generated by Perception’s behavioural analysis system, ForensicAI can generate alerts on activity that has occurred over the course of days, weeks, or months with extremely low false-alarm rates and very high detection rates. The system is also flexible, our customers can request the development of specific ForensicAI intelligence to look for areas of concern, or increase the tendency for ForensicAI to alert on certain behavioural patterns. This flexibility also allows the development team to constantly tweak the system to detect newer threats as they happen, and new logic is immediately able to look back into the knowledge base to see if anything’s occurred since Perception has been installed.

ForensicAI represents the first cyber security system that we know of that can automatically alert on low and slow behaviours over these sorts of timescales. Perimeter and endpoint solutions typically only have the ‘now’ available to them, and false alarm rates would be too high to generate alerts over some of the behaviours involved in more advanced attacks. SIEM tools can be used to gather data, but over time it becomes nearly impossible to find the needle in such a large haystack. ForensicAI can pick out malicious activity that involves something happening months ago, followed by other behaviours a few weeks later, and then something else happening in the last few minutes. As soon as the last piece in that puzzle falls into place, an alert is generated, which gives us that incredibly high detection rate.

With ForensicAI, Perception now has the capability to generate alerts from the large data sets, rather than just useful data to be used for further analysis. This allows our serviced customers to benefit from analysts spending more time investigating incidents rather than discovering patterns, and our self-monitored customers can benefit from immediate identification of in-progress malicious activity.

As with all our other software updates, Perception v2.0 including ForensicAI is a free software update to all existing customers.